DCSA's Regional Operators Lack the Analytic Tools to Properly Assess Industrial Security Risk
One of the more precise findings in the GAO’s April 2026 industrial security report is that DCSA has built risk assessment capabilities at the national level while leaving its regional operators without meaningful tools to analyze risk in their own portfolios. The gap matters because the facilities within each of DCSA’s four regions — Mid-Atlantic, Eastern, Central, and Western — have substantially different characteristics, and national-level trend data does not capture the distinctions that should drive local prioritization.
DCSA headquarters produces a biweekly toolkit that pulls data from the agency’s system of record, NISS, and is distributed to regional officials. The toolkit covers active facilities, security violations, and open vulnerabilities across all four regions. In principle, it can be filtered by region. In practice, participants in seven of the twelve focus groups GAO conducted described it as a logistical tracker, not an analytic product — not user-friendly, lacking automation, and incapable of generating trend reports based on fields that operators actually care about. One participant described it as “50 columns of gobbledygook.” Another noted that DCSA headquarters does not compile annual trend reports at all; it briefs industry on common non-compliance issues, but systematic trend documentation does not exist.
DOD Instruction 5010.40 calls for risk management to be applied both top-down and bottom-up, with the bottom-up approach requiring tools that aggregate and analyze risks at the component level relative to strategic goals and performance objectives. Federal internal control standards similarly require that risks be analyzed to estimate their significance. DCSA’s current toolkit does not meet these standards at the regional level.
The regional variation problem is not hypothetical. Mid-Atlantic region officials told GAO that their region contains approximately 45 percent of the agency’s facilities under foreign ownership, control, or influence — even though it is just one of four regions. A nationwide risk picture would systematically underrepresent that concentration relative to what regional operators need to make sound decisions about which facilities to prioritize and when.
DCSA has acknowledged the need. Its July 2025 Capability Needs Statement for the NISS replacement, NI2, expresses intent to implement analytical tools using artificial intelligence-enhanced data aggregation and analysis. But those capabilities have not been deployed. Participants in nine of twelve focus groups reported that analytic capabilities and trend analysis could be substantially enhanced, and nine groups also identified NISS’s limited data query functionality as a direct obstacle to risk assessment work. Until analytic tools are available to regional operators, they will continue making prioritization decisions with incomplete information in an environment where the number of facilities far exceeds the staff available to review them.